Solution
Please Install the Updated Packages.
Insight
Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on UNIX systems connected to the Internet.
A privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the "
exim"
user, they could cause Exim to execute
arbitrary commands as the root user. (CVE-2010-4345)
This update adds a new configuration file, "
/etc/exim/trusted-configs"
. To
prevent Exim from running arbitrary commands as root, Exim will now drop privileges when run with a configuration file not listed as trusted. This could break backwards compatibility with some Exim configurations, as the trusted-configs file only trusts "
/etc/exim/exim.conf"
and
"
/etc/exim/exim4.conf"
by default. If you are using a configuration file
not listed in the new trusted-configs file, you will need to add it manually.
Additionally, Exim will no longer allow a user to execute exim as root with the -D command line option to override macro definitions. All macro definitions that require root permissions must now reside in a trusted configuration file.
Users of Exim are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the exim daemon will be restarted automatically.
Affected
exim on CentOS 5
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-4345 -
CVSS Base Score: 6.9
AV:L/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities